cbcvebase.
CVE-2019-15105
published 2019-08-16

CVE-2019-15105: An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via…

PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.79%
93.9th percentile
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_applications_manager12.0 – 14.2

Detection & IOCsextracted from sources · hover to see the quote

url/jsp/NewThresholdConfiguration.jsp?resourceid=
url/jsp/NewThresholdConfiguration.jsp
port9090
  • Detect SQL injection attempts against the resourceid parameter of NewThresholdConfiguration.jsp; payloads use CHAR()-encoded strings (e.g., CHAR(65)+CHAR(68)+...) characteristic of MSSQL/PostgreSQL blind SQLi.
  • Check for the version fingerprint string 'Build No:142' in HTTP responses from the ManageEngine Application Manager index page, which the exploit uses to confirm a vulnerable target.
  • Monitor for GET requests to /showTile.do with TileName=.ExecProg parameter, which the exploit uses to enumerate the execution directory and confirm the 'Execute Program Action(s)' feature is accessible.
  • A low-privilege user account performing admin-level actions (createExecProgAction, executeScript) after authentication is a strong indicator of successful privilege escalation via SQLi-created admin account.
  • ·The exploit supports both MSSQL and PostgreSQL backends; SQLi payload construction differs per database type. Detection rules should account for both CHAR()-based (MSSQL) and PostgreSQL-specific injection syntax.
  • ·The default Metasploit module uses port 9090 without SSL; deployments behind a reverse proxy on port 443/80 with SSL will require adjusted network detection signatures.
  • ·The exploit targets ManageEngine Application Manager through version 14.2 (Build No:142); versions beyond this build are reported as not vulnerable by the module's check function.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.